b"Pension Benefit Guaranty Corporation\n    Office of Inspector General\n           AUDIT REPORT\n\n\n\n\n   Fiscal Year 2012 Federal Information\n    Security Management Act (FISMA)\n      Independent Evaluation Report\n\n\n\n\n               May 1, 2013\n                                  Eval -2013-6/FA-12-88-5\n\x0c                         Pension Benefit Guaranty Corporation\n                                                         Office of Inspector General\n                                         1200 K Street, N.W., Washington, D.C. 20005-4026\n\n\n                                                                                    May 1, 2013\n\nTo:             Josh Gotbaum\n                Director\n\nFrom:           Candace Milbry\n                Acting Assistant Inspector General for Audit\n\nSubject:        Fiscal Year 2012 Federal Information Security Management Act\n                Independent Evaluation Report (Eval 2013-06/FA-12-88-5)\n\n\nI am pleased to transmit the fiscal year (FY) 2012 Federal Information Security Management\nAct (FISMA) independent evaluation report, detailing the results of our independent public\naccountants\xe2\x80\x99 review of the Pension Benefit Guaranty Corporation (PBGC) information\nsecurity program. This is the sixth report related to the fiscal year 2012 financial statements\naudit (AUD-2013-1/FA-12-88-1).\n\nAs prescribed by FISMA, the PBGC Inspector General is required to conduct annual\nevaluations of the PBGC security programs and practices, and to report to the Office of\nManagement and Budget (OMB) the results of this evaluation. CliftonLarsonAllen LLP, on\nbehalf of the PBGC OIG, completed the OMB-required responses that we then submitted\nto OMB on November 15, 2012. This evaluation report provides additional information on\nthe results of CliftonLarsonAllen\xe2\x80\x99s review of the PBGC information security program.\n\nOverall, the auditors determined that Information Technology (IT) continues to be a\nchallenge for PBGC. The OIG and others have consistently identified serious internal\ncontrol vulnerabilities and systemic security control weaknesses in the IT environment over\nthe last several years. PBGC\xe2\x80\x99s delayed progress in mitigating these deficiencies at the root-\ncause level continued to pose increasing and substantial risks to PBGC\xe2\x80\x99s ability to carry out\nits mission during FY 2012. Due to the persistent nature and extended time required to\nmitigate such vulnerabilities, additional risks threaten PBGC\xe2\x80\x99s ability to safeguard its systems.\nThese risks include technological obsolescence, inability to execute corrective actions,\nbreakdown in communications, and poor monitoring. PBGC has made some progress in\naddressing IT security weaknesses at the root-cause level by continuing the implementation\nof its FY 2010 Enterprise Corrective Action Plan (CAP), and introducing additional\nreporting controls to track progress.\n\nThe response to a draft of this report indicates PBGC\xe2\x80\x99s agreement with all recommendations\nand documents expected completion dates. We would again like to take this opportunity to\nexpress our appreciation for the overall cooperation that CliftonLarsonAllen and the OIG\nreceived while performing the audit.\n\nAttachment\n\x0ccc: Judith R. Starr   Barry West\n    Patricia Kelly    Martin O. Boehm\n    Alice Maroni      Ann Orr\n\n\n\n\n                              2\n\x0c                                                                   CliftonLarsonAllen LLP\n                                                                   www.cliftonlarsonallen.com\n\n\n\n\nMs. Rebecca Anne Batts\nInspector General\nPension Benefit Guaranty Corporation\n1200 K Street, N.W.\nWashington DC 20005-4026\n\nDear Ms. Batts:\n\nWe are pleased to provide the Fiscal Year (FY) 2012 Federal Information Security Management\nAct (FISMA) Independent Evaluation Report, detailing the results of our review of the Pension\nBenefit Guaranty Corporation (PBGC) information security program.\n\nFISMA requires Inspectors General (IG) to conduct annual evaluations of their agency\xe2\x80\x99s\nsecurity programs and practices, and to report to Office of Management and Budget (OMB)\nthe results of their evaluations. OMB Memorandum M-12-20, \xe2\x80\x9cFY 2012 Reporting Instructions\nfor the Federal Information Security Management Act and Agency Privacy Management\xe2\x80\x9d\nprovides instructions for completing the FISMA evaluation. Evaluations conducted by Offices\nof Inspector General (OIG) are intended to independently assess whether the agencies are\napplying a risk-based approach to their information security programs and the information\nsystems that support the conduct of agency missions and business functions.\n\nCliftonLarsonAllen LLP completed the required responses on behalf of the PBGC OIG. The OIG\nthen reviewed, approved, and submitted the responses to OMB on November 15, 2012. This\nevaluation report provides additional information on the results of our review of the PBGC\ninformation security program.\n\nIn preparing required responses on behalf of the OIG, we coordinated with PBGC management\nand appreciate their cooperation in this effort. PBGC management has provided us with a\nresponse (dated April 24, 2013) to the draft FISMA 2012 Independent Evaluation Report.\n\n\n\na\nCalverton, Maryland\nApril 24, 2013\n\x0c                                                                                                                                                     Page\n                                                            TABLE OF CONTENTS\n\n\n\n\nI.         EXECUTIVE SUMMARY .................................................................................................................... 2\n\nII.        BACKGROUND .................................................................................................................................. 2\n\nIII.       OBJECTIVES ...................................................................................................................................... 3\n\nIV.        SCOPE & METHODOLOGY............................................................................................................... 3\n\nV.         SUMMARY OF CURRENT YEAR TESTING ..................................................................................... 4\n\nVI.        FINDINGS AND RECOMMENDATIONS ............................................................................................ 5\n\n      1.    Information Technology Controls for The Protection of Privacy ............................................... 5\n      2.    Plan of Action and Milestones (POA&M) ..................................................................................... 7\nVII.       FISMA-RELATED FINDINGS REPORTED IN THE FINANCIAL STATEMENT AUDIT ................... 9\n\nVIII. FISMA RECOMMENDATIONS CLOSED IN FISCAL YEAR 2011.................................................. 17\n\nIX.        PRIOR AND CURRENT YEARS\xe2\x80\x99 OPEN FISMA RECOMMENDATIONS ....................................... 17\n\nX.         MANAGEMENT RESPONSE ........................................................................................................... 18\n\x0cI.    EXECUTIVE SUMMARY\n\nTitle III of the E-Government Act (Public Law No. 104-347), also called the Federal Information\nSecurity Management Act (FISMA), requires agencies to adopt a risk-based, life cycle approach\nto improving computer security that includes annual security program reviews, independent\nevaluations by the Inspector General (IG), and reporting to the Office of Management and\nBudget (OMB) and the Congress. It also codifies existing policies and security responsibilities\noutlined in the Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nWe are reporting two (2) FISMA findings with ten (10) recommendations for Fiscal Year (FY)\n2012 based on the results of our FY 2012 independent evaluation. We note that these are the\ntotal of findings and recommendations related to information technology weaknesses. In\naddition to those in this report, thirteen (13) FISMA-related findings with thirty-four (34)\nrecommendations were reported in the Corporation\xe2\x80\x99s FY 2012 internal control report based on\nour FY 2012 financial statements audit work. Based on the number of unremediated outstanding\nrecommendations, PBGC does not have an effective information security program.\n\nII.   BACKGROUND\n\nThe Pension Benefit Guaranty Corporation (PBGC) protects the pensions of approximately 43\nmillion workers and retirees in more than 25 thousand private defined benefit pension plans.\nUnder Title IV of the Employee Retirement Income Security Act of 1974, PBGC insures, subject\nto statutory limits, pension benefits of participants in covered private defined benefit pension\nplans in the United States. To accomplish its mission and prepare its financial statements,\nPBGC relies extensively on the effective operation of the Benefits Administration and Payment\nDepartment (BAPD) and information technology (IT). Internal controls over these operations are\nessential to ensure the confidentiality, integrity, and availability of critical data while reducing the\nrisk of errors, fraud, and other illegal acts.\n\nPBGC has become increasingly dependent on computerized information systems to execute its\noperations and to process, maintain, and report essential information. As a result, the reliability\nof computerized data and of the systems that process, maintain, and report this data is a major\npriority for PBGC. While the increase in computer interconnectivity has changed the way the\ngovernment does business, it has also increased the risk of loss and misuse of information by\nunauthorized or malicious users. Protecting information systems continues to be one of the most\nimportant challenges facing government organizations today.\n\nThrough FISMA, the U.S. Congress showed its intention to enhance the management and\npromotion of electronic government services and processes. Its goals are to achieve more\nefficient government performance, increase access to government information, and increase\ncitizen participation in government. FISMA also provides a comprehensive framework for\nensuring the effectiveness of security controls over information resources that support federal\noperations and assets. It also codifies existing policies and security responsibilities outlined in\nthe Computer Security Act of 1987 and the Clinger Cohen Act of 1996.\n\nPBGC operates an open and distributed computing environment to facilitate collaboration and\nknowledge sharing, and support its mission of protecting the pensions of nearly 44 million\nworkers and retirees. It faces the challenging task of maintaining this environment, while\nprotecting its critical information assets against malicious use and intrusion.\n\n\n\n\n                                                   2\n\x0cThe PBGC Office of Inspector General (OIG) contracted with CliftonLarsonAllen LLP to conduct\nPBGC's FY 2012 FISMA Independent Evaluation. We performed this evaluation in conjunction\nwith our review of information security controls required as part of the annual financial statement\naudit.\n\nIII.   OBJECTIVES\n\nThe purposes of this evaluation were to assess the effectiveness of PBGC's information security\nprogram and practices and to determine compliance with the requirements of FISMA and\nrelated information security policies, procedures, standards, and guidelines.\n\nIV.    SCOPE & METHODOLOGY\n\nTo perform our review of PBGC's security program, we followed a work plan based on the\nfollowing guidance:\n\n       \xef\x82\xb7 National Institute of Standards and Technology (NIST)\xe2\x80\x99s Recommended Security\n         Controls for Federal Information Systems \xe2\x80\x93 Special Publication (SP) 800-53 for\n         specification of security controls.\n       \xef\x82\xb7 NIST Special Publication 800-37, Guide for the Security Certification and Accreditation\n         of Federal Information Systems, for certification and accreditation controls.\n       \xef\x82\xb7 NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal\n         Information Systems, for the assessment of security control effectiveness.\n       \xef\x82\xb7 Government Accountability Office (GAO)\xe2\x80\x99s Federal Information System Controls Audit\n         Manual (FISCAM: GAO-09-232G), for information technology audit methodology.\n\nThe combination of these methodologies allowed us to meet the requirements of both FISMA\nand the Chief Financial Officer\xe2\x80\x99s Act.\n\nOur procedures included internal and external security reviews of PBGC's information\ntechnology (IT) infrastructure; reviewing agency Plans of Action and Milestones (POA&Ms); and\nevaluating the following subset of PBGC's major systems:\n\n       \xef\x82\xb7   Consolidated Financial System (CFS)\n       \xef\x82\xb7   Integrated Present Value of Future Benefits (IPVFB)\n       \xef\x82\xb7   Legal Management System (LMS)\n       \xef\x82\xb7   Pension and Lump Sum System (PLUS)\n\nWe performed procedures to test (1) PBGC\xe2\x80\x99s implementation of an entity-wide security plan,\nand (2) operational and technical controls specific to each application such as service continuity,\nlogical access, and change controls. We also performed targeted tests of controls over financial\nand business process applications. We performed our review from April 6, 2012 to September\n30, 2012 at PBGC's headquarters in Washington DC. We also performed a security assessment\nof the PLUS application in July 2012 at State Street Corporation in Quincy, Massachusetts.\n\nThis independent evaluation was prepared based on information available as of September 30,\n2012.\n\n\n\n\n                                                3\n\x0cV.   SUMMARY OF CURRENT YEAR TESTING\n\nOur review of IT controls covered general and selected business process application controls.\nGeneral controls are the structure, policies, and procedures that apply to an entity\xe2\x80\x99s overall\ncomputer systems. They include entity-wide security management, access controls,\nconfiguration management, segregation of duties and contingency planning controls. Business\nprocess application controls are those controls over the, confidentiality, integrity and availability\nof transactions and data during application processing.\n\nOur review also included the integration of financial management systems to ensure effective\nand efficient interrelationships. These interrelationships include common data elements,\ncommon transaction processing, consistent internal controls, and transaction entry.\n\nIT continues to be a challenge for management. The safeguarding of PBGC\xe2\x80\x99s systems and data\nis essential to protect PBGC\xe2\x80\x99s operations and mission. The OIG and others have consistently\nidentified serious internal control vulnerabilities and systemic security control weaknesses in the\nIT environment over the last several years. PBGC\xe2\x80\x99s delayed progress in mitigating these\ndeficiencies at the root-cause level continued to pose increasing and substantial risks to\nPBGC\xe2\x80\x99s ability to carry out its mission during FY 2012. Due to the persistent nature and\nextended time required to mitigate such vulnerabilities, additional risks threaten PBGC\xe2\x80\x99s ability\nto safeguard its systems. These risks include technological obsolescence, inability to execute\ncorrective actions, breakdown in communications, and poor monitoring.\n\nPBGC has made some progress in addressing IT security weaknesses at the root-cause level\nby continuing the implementation of its FY 2010 Enterprise Corrective Action Plan (CAP), and\nintroducing additional reporting controls to track progress. Additional tracking controls include\nthe Enterprise Plan of Action and Milestones (POA&M) and the Progress Status Reports (PSR)\non corrective actions. However, the current PBGC corrective action process remains disjointed,\nwith stove-piped responsibilities that did not provide a holistic view to inform key decision\nmakers on progress made and resources needed to complete critical tasks. PBGC is in the\nprocess of improving its corrective action process to be more cohesive where the CAP will\ninform the POA&M which will, in turn, provide the Contracts and Control Review Department\n(CCRD) with the official status of corrective actions to be included in the Listing of Open OIG\nRecommendations.\n\nThe Corporation has also made progress in addressing the design of its infrastructure, account\nmanagement, enterprise security management, and configuration management, but the control\nprocesses have not reached a level of maturity to prove their effectiveness. PBGC is\nimplementing a disciplined and integrated approach to its Configuration, Change, and Release\nManagement (CCRM) process and procedures consistent with NIST SP 800-53, Rev 3. The\nCorporation has also developed and is implementing additional policies and procedures;\nadditional technical and configuration management tools are also being deployed. However,\nmuch remains to be done, and the pace of progress remains slow.\n\nPBGC anticipated completing the assessment and authorization (A&A) process, formerly\nreferred to as a certification and accreditation process, on the Corporation\xe2\x80\x99s major applications\nin FY 2012, but was unable to complete the process. The work on the A&As that has been\nperformed through FY 2012 identified significant fundamental security control weaknesses in\nPBGC\xe2\x80\x99s general support systems, many of which were reported in prior years\xe2\x80\x99 audits and\nremain unresolved. We continued to find deficiencies in the areas of security management,\naccess controls, configuration management, and segregation of duties. Control deficiencies\n\n\n                                                 4\n\x0cwere also found in policy administration, and the completion of A&As for all major applications.\n\nPBGC developed an information security policy framework, including the Information Security\nPolicy which is supported by standards, processes, procedures, and a guide published in June\n2012, The Office of Information Technology (OIT) Security Authorization Guide. This Guide\nprovides steps and templates for use in preparing and completing the Security Authorization\nand Assessment process which follows National Institute of Standards and Technology (NIST)\nSpecial Publication (SP) 800-37. Also, the Guide provides a checklist to support OIT\xe2\x80\x99s review of\nsubmitted artifacts as evidence of controls implemented. PBGC is documenting the review\nprocess with the checklist. The new information security policy framework has not reached a\nlevel of maturity to determine its effectiveness. PBGC is still in the process of establishing an\nenterprise-wide continuous monitoring program; and deploying additional network management,\nmonitoring and configuration tools in its environment.\n\nOur current year audit work found deficiencies in the areas of security management, access\ncontrols, and configuration management. Control deficiencies were also found in policy\nadministration, and the A&A of major applications and contractor systems. An effective entity-\nwide security management program requires a coherent strategy for the architecture of the IT\ninfrastructure, and the deployment of systems. The implementation of a coherent strategy\nprovides the basis and foundation for the consistent application of policy, controls, and best\npractices. PBGC needs to continue improving and implementing a more cohesive corrective\naction process to address its programmatic IT weaknesses. This framework will require time for\neffective control processes to mature.\n\nThe financial internal control findings related to entity-wide security program planning and\nmanagement, access controls and configuration management were reported in the Report on\nInternal Controls Related to the Pension Benefit Guaranty Corporation\xe2\x80\x99s Fiscal Year 2012 and\n2011 Financial Statements Audit (AUD-2013-2 /FA-12-88-2)1 issued on November 15, 2012. As\na result of our findings, we made recommendations to correct the deficiencies. A table\nsummarizing these findings is in Section VII of this report.\n\nIn addition, we are reporting deficiencies in the following FISMA areas for FY 2012:\n\n            1. Information Technology Controls for The Protection of Privacy,\n            2. Plan of Action and Milestones (POA&M).\n\nIn addition, our audit also found deficiencies specifically related to responses required by OMB\nMemorandum M-12-20 which are included in this report. These findings and recommendations,\nnot previously reported, are as follows.\n\nVI.      FINDINGS AND RECOMMENDATIONS\n\n1. Information Technology Controls for The Protection of Privacy\n\nThe configuration of one of PBGC\xe2\x80\x99s remote terminal servers allowed all PBGC remote access\nusers, employees and contractors, read and write access to the server\xe2\x80\x99s local storage drive. The\ninadequate configuration resulted in users saving sensitive information to the drive and allowing\nother users (remote access PBGC employees and contractors) access to that information.\n\n1\n    http://oig.pbgc.gov/pdfs/FA-12-88-2.pdf\n\n\n\n\n                                                   5\n\x0cInformation discovered on the local storage drive included participant Privacy Act data, i.e.,\npersonally identifiable information (PII)2.\n\nRecommendations:\n\n     o    Immediately restrict access to the local storage drive on the remote terminal server so\n          that only authorized users may read and write to the drive. (OIG Control Number\n          FISMA-12-01)\n\n          Management Response\n\n          In FY2012 when this vulnerability was identified, OIT immediately reviewed and initiated\n          actions to restrict access capabilities to the identified remote terminal server. OIT will\n          provide evidence that this vulnerability no longer exists by June 30, 2013. We will then\n          prepare and submit a Recommendation Completion Form for this item.\n\n     o    Review all servers which permit remote access and validate that permissions to the local\n          drive are configured in accordance with the concept of least privilege. (OIG Control\n          Number FISMA-12-02)\n\n          Management Response\n\n          Based on the scope of actions executed to remediate FISMA 12-01, OIT will need time\n          to complete the confirmation of our restricting least privilege remote access to all\n          servers. While we plan to take action during FY 2013, we expect that we will need\n          several months to collect the evidence to demonstrate we have installed and are\n          following the installed solution. This places the expected timeframe to submit a\n          Recommendation Completion Form on this by December 31, 2013.\n\nPBGC has not implemented controls to protect all PII in its development environment, which\ndoes not have the same level of security controls as its production systems. Furthermore,\nbackup tapes also have PII, but have not been encrypted to protect data from unauthorized\ndisclosure.\n\nRecommendations:\n\n     o    Remove PII from the development environment. (OIG Control Number FISMA-11-02)\n\n          PBGC\xe2\x80\x99s Scheduled Completion Date 6/30/2014:\n\n     o    Encrypt and secure backup tapes that contain PII. (OIG Control Number FISMA-11-03)\n\n          PBGC\xe2\x80\x99s Scheduled Completion Date 06/30/2013:\n\n\n\n\n2\n     Personally identifiable information (PII) is any information about an individual that is maintained by an agency, including\ninformation that can be used to distinguish or trace an individual\xe2\x80\x99s identity, such as name, social security number, date and place of\nbirth, mother\xe2\x80\x99s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as\nmedical, educational, financial, and employment information (based on General Accountability Office and Office of Management and\nBudget definitions).\n\n\n\n                                                                  6\n\x0cPBGC has not completed the security categorization of all of its information systems.\n\nRecommendations:\n\n   o   Complete the security categorization of PBGC information systems. (OIG Control\n       Number FISMA-11-04)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date 12/31/2012:\n\n   o   Implement minimum security requirements to secure the CDMS application. (OIG\n       Control Number FISMA-11-05)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date 08/31/2013:\n\n2. Plan of Action and Milestones (POA&M)\n\nPBGC is still working on the process of consolidating its POA&Ms into an agency-wide POA&M.\nThe process is not fully developed and implemented. In the spring of 2012, the new process\nwas initiated, which includes having the Information System Security Officers (ISSOs) work with\nthe Information System Owners (ISOs) to ensure that POA&M submissions are uniform. The\nPBGC Plan of Action and Milestones Process has a template with the required and optional\nfields and related definitions. These new submissions are being uploaded to the new PBGC\nPOA&M database. The new process requires Information System/Information Owners to submit\nPOA&M updates quarterly and the Senior Agency Information Security Officer (SAISO) is\nrequired to prepare an agency-level report for the Chief Information Officer (CIO). After the 1Q\n2012 POA&M data call, the Enterprise Information Security Office prepared the Plan of Action &\nMilestones Quarterly Analysis FY 2012 \xe2\x80\x93 1st Quarter, March 2012. Since the POA&M is a new\nprocess, and still being implemented, no evidence was provided to show that the CIO centrally\ntracks, maintains and reviews/validates (independently) POA&M activities, at least, on a\nquarterly basis, this finding continues for FY 2012.\n\nRecommendations:\n   o   Develop, maintain and update PBGC\xe2\x80\x99s entity-wide plan of action and milestones, at least\n       on a quarterly basis, and ensure it includes all entity-wide security deficiencies noted.\n       (OIG Control Number FISMA-09-08)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date 12/31/2012:\n\n   o   Disseminate PBGC\xe2\x80\x99s entity wide POA&M to all responsible parties to ensure corrective\n       actions are taken in accordance with POA&M. (OIG Control Number FISMA-09-09)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date 12/31/2012:\n\nPBGC\xe2\x80\x99s POA&M process is not mature and effective. We noted the following deficiencies in FY\n2009, FY 2010, FY 2011, and again in FY 2012:\n       \xef\x80\xad No evidence that reports on the progress of security weakness remediation is being\n          provided to the Chief Information Officer (CIO) on a regular basis.\n       \xef\x80\xad No evidence that the PBGC CIO centrally tracks, maintains, and independently\n          reviews/validates POA&M activities on at least a quarterly basis.\n\n\n\n                                               7\n\x0cIn FY 2012, PBGC created the \xe2\x80\x9cPBGC Plan of Action and Milestone Process\xe2\x80\x9d noted above,\nhowever, the implementation of the new process has not reached a level of maturity to\ndetermine its effectiveness.\n\nRecommendations:\n\n   o   Ensure that the agency and program specific plan of action and milestones are tracked\n       appropriately and provided to PBGC\xe2\x80\x99s CIO regularly. (OIG Control Number FISMA-09-\n       10)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date 12/31/2012:\n\n   o   Ensure PBGC\xe2\x80\x99s CIO centrally tracks, maintains and independently reviews/validates\n       POA&M activities, at least on a quarterly basis. (OIG Control Number FISMA-09-11)\n\n       PBGC\xe2\x80\x99s Scheduled Completion Date12/31/2012:\n\n\n\n\n                                             8\n\x0c  VII. FISMA-RELATED FINDINGS REPORTED IN THE FINANCIAL STATEMENT AUDIT\n\n  The following table summarizes FISMA-related findings noted under entity-wide security\n  program planning and management, access controls, and configuration management, that were\n  reported in the Report on Internal Controls Related to the Pension Benefit Guaranty\n  Corporation\xe2\x80\x99s Fiscal Year 2012 and 2011 Financial Statements Audit (AUD-2013-2 /FA-12-88-2)\n  issued November 15, 2012.\n\n                 Finding Summary                                           Recommendation\n1. Weaknesses in PBGC\xe2\x80\x99s infrastructure                Effectively communicate to key decision makers the\n   design and deployment strategy for systems         state of PBGC\xe2\x80\x99s IT infrastructure and environment to\n   and applications adversely affected its ability    facilitate the prioritization of resources to address\n   to effectively implement common security           fundamental weaknesses. (OIG Control # FS-09-01)\n   controls across its systems and applications.      (PBGC scheduled completion date: June 30, 2013)\n   Without        full     development         and\n   implementation, security controls are              Document and execute the details of the specific\n   inadequate; responsibilities are unclear,          actions needed to complete and confirm the design,\n   misunderstood,           and          improperly   implementation, and operating effectiveness of all 130\n   implemented; and controls are inconsistently       identified common security controls. (OIG Control #\n   applied. Such conditions lead to insufficient      FS-08-01) (PBGC scheduled completion date:\n   protection of sensitive or critical resources or   February 28, 2015)\n   disproportionately high expenditures for\n   controls. PBGC realizes these challenges,          Develop a process to review and validate reported\n   and has identified and documented the              progress on the implementation of the common\n   enterprise common security controls in the         security controls. Implement a strategy to test and\n   Agency Security Controls General Support           document the effectiveness of each new control\n   System (ASCGSS) System Security Plan.              implemented. (OIG Control # FS-09-02) (PBGC\n   PBGC completed and approved the                    scheduled completion date: September 30, 2012)\n   Infrastructure Configuration Management\n   Plan in FY 2012. The Corporation also\n   approved its CCRM process and procedures\n   in FY 2012. The future implementation of\n   these strategies is designed to enable\n   PBGC to implement a disciplined and\n   integrated approach to CCRM, eliminate\n   inconsistencies and weaknesses in the\n   implementation of the processes and\n   procedures and ensure compliance with the\n   NIST SP 800-53, Rev 3 common controls.\n   However PBGC had not completed and\n   confirmed the implementation, and operating\n   effectiveness of its common security\n   controls;    management          cannot    have\n   confidence      that   the      controls   were\n   implemented.\n\n2. PBGC had not completed A&As for any                Develop and implement a well-designed security\n   major    applications.   However,    PBGC          management program that will provide security to the\n   continued to improve the PBGC Enterprise           information and information systems that support the\n   Information Security Program which includes        operations and assets of the Corporation, including\n\n\n\n                                                      9\n\x0c             Finding Summary                                    Recommendation\nstrengthening the system authorization          those managed by contractors or other federal\nprocess,     verifying    contractor    A&A     agencies. (OIG Control # FS-09-03) (PBGC\ndeliverables, and ensuring their quality and    scheduled completion date: September 30, 2012)\nconformance to the statement of work as\nwell as to the objectives of the PBGC risk      Complete the development and implementation of the\nmanagement process and NIST SP 800-53.          redesign of PBGC\xe2\x80\x99s IT infrastructure; and the\nPBGC has focused on updating the                procurement and implementation of technologies to\nunderlying policies, strengthening the          support a more coherent approach to providing\nsecurity program overall, obtaining quality     information services and information system\ncontractors to conduct the assessments, and     management controls. (OIG Control # FS-09-04)\nensuring PBGC prepare for and begin the         (PBGC scheduled completion date: February 28,\nexecution of the system authorization           2015)\nprocess.\n                                                Implement an effective review process to validate the\n                                                completion of the A&A packages for all major\n                                                applications. The review should not be performed by\n                                                an individual associated with the performance of the\n                                                A&A, or by someone who could influence the results.\n                                                This review should be completed for all components of\n                                                the    work    performed    to   ensure    substantial\n                                                documentation is available that supports and validates\n                                                the results obtained. (OIG Control # FS-08-02)\n                                                (PBGC scheduled completion date: June 30, 2013)\n\n\n                                                Ensure that adequate documentation is maintained\n                                                which supports, substantiates, and validates all results\n                                                and conclusions reached in the A&A process for all\n                                                major applications. (OIG Control # FS-09-05) (PBGC\n                                                scheduled completion date: September 30, 2012)\n\n                                                Establish and implement comprehensive procedures\n                                                and document the roles and responsibilities that\n                                                ensure oversight and accountability in the A&A review\n                                                process for major applications. Retain evidence of\n                                                oversight reviews and take action to address\n                                                erroneous or unsupported reports of progress. (OIG\n                                                Control # FS-09-06) (PBGC scheduled completion\n                                                date: September 30, 2012)\n\n                                                Maintain an accurate and authoritative inventory list of\n                                                major applications and general support systems.\n                                                Ensure the list is disseminated to responsible staff and\n                                                used consistently throughout PBGC OIT operations.\n                                                (OIG Control # FS-09-07) (PBGC scheduled\n                                                completion date: September 30, 2012)\n\n                                                Implement an independent and effective review\n                                                process to validate the completion of the A&A\n\n\n\n                                               10\n\x0c                 Finding Summary                                         Recommendation\n                                                       packages for all major applications. (OIG Control #\n                                                       FS-08-03) (PBGC scheduled completion date: June\n                                                       30, 2013)\n\n                                                       Implement a documented, independent and effective\n                                                       review process to validate the completion of the A&A\n                                                       packages for general support systems hosted on\n                                                       behalf of PBGC by third party processors. The\n                                                       effective review should include examining host and\n                                                       general controls risk assessments. (OIG Control # FS-\n                                                       08-03) (PBGC scheduled completion date:\n                                                       September 30, 2012)\n\n3. Information security policies and procedures        Continue to disseminate the awareness of PBGC\xe2\x80\x99s\n   were       not    fully    disseminated     and     security policies and procedures through adequate\n   implemented. PBGC is not able to effectively        training. (OIG Control # FS-07-04) (PBGC scheduled\n   enforce compliance for all needed security          completion date: September 30, 2012)\n   awareness training. PBGC published SE-\n   PRC-01-01, Security Awareness and\n   Training Procedures, in June 2012. It\n   defines both annual security awareness\n   requirements and role-based requirements.\n   Security incident response training is still in\n   development and will be delivered during FY\n   2013 for all staff involved in security incident\n   management and response. PBGC is in its\n   second year of providing an online\n   information security awareness module\n   supplied by an OMB-approved Information\n   System Security Line of Business provider\n   (OPM\xe2\x80\x99s Go Learn Learning Management\n   System platform). This enables more\n   efficient tracking of staff and contractors who\n   have taken the module. PBGC fulfilled last\n   year\xe2\x80\x99s requirement for general security\n   awareness training using this service. Role-\n   based training for security is still in the\n   development stage. Lack of security\n   awareness can lead to increased risk of\n   security breaches and exposure to fraud.\n   Controls may not be placed in operation as\n   mandated by PBGC policies.\n\n4.   PBGC has not executed interconnection             Develop controls and implement an ISA or MOU with\n     security     agreements      (ISA)    or          all external organizations whose systems connect to\n     memorandums of understanding (MOU)                PBGC\xe2\x80\x99s systems. (OIG Control # FS-10-03) (PBGC\n     between all external organizations whose          scheduled completion date: September 30, 2012)\n     systems    interconnect   with    PBGC\xe2\x80\x99s\n     systems. Controls to require such\n\n\n\n                                                      11\n\x0c                  Finding Summary                                        Recommendation\n     agreements do not exist. PBGC is in the\n     process of planning and documenting ISAs\n     with all external organizations\xe2\x80\x99 systems. In\n     the absence of an ISA and MOU, either\n     party (PBGC or external system owner)\n     may be unfamiliar with the technical\n     requirements of the interconnection and the\n     details that may be required to provide\n     overall security for systems that are\n     interconnected.\n\n5.   PBGC\xe2\x80\x99s configuration management controls         Develop and implement procedures and processes for\n     are labor intensive and ineffective.             the    consistent   implementation     of   common\n     Weaknesses in the design of PBGC\xe2\x80\x99s               configuration management controls to minimize\n     infrastructure and deployment strategy for       security weaknesses in general support systems. (OIG\n     systems and applications created an              Control # FS-07-07) (PBGC scheduled completion\n     environment      where     strong   technical    date: October 31, 2013)\n     controls and best practices cannot be\n     effectively   implemented.      Configuration    Develop and implement a coherent strategy for\n     management        controls    are  therefore     correcting IT infrastructure deficiencies and a\n     inconsistently implemented across PBGC\xe2\x80\x99s         framework for implementing common security controls,\n     general support systems. PBGC\xe2\x80\x99s three IT         and mitigating the systemic issues related to access\n     environments (development, test, and             control by strengthening system configurations and\n     production) do not share common server           user account management for all of PBGC\xe2\x80\x99s\n     configurations; therefore, management            information systems. (OIG Control # FS-09-12)\n     cannot rely on results obtained in the           (PBGC scheduled completion date: October 31,\n     development or test environments prior to        2013)\n     deployment in production. Overall, the           Establish baseline configuration standards for all of\n     PBGC environment suffers from inadequate         PBGC\xe2\x80\x99s systems. (OIG Control # FS-09-13) (PBGC\n     configuration, roles, privileges, logging,       scheduled completion date: October 31, 2013)\n     monitoring, file permissions, and operating\n     system access.                                   Review configuration settings and document any\n                                                      discrepancies from the PBGC configuration baseline.\n                                                      Develop and implement corrective actions for systems\n                                                      that do not meet PBGC\xe2\x80\x99s configuration standards.\n                                                      (OIG Control # FS-09-14) (PBGC scheduled\n                                                      completion date: October 31, 2013)\n\n                                                      Ensure test, development and production databases\n                                                      are appropriately segregated to protect sensitive\n                                                      information, and fully utilized to increase system\n                                                      performance. (OIG Control # FS-09-15) (PBGC\n                                                      scheduled completion date: October 31, 2013)\n\n                                                      Establish interim procedures to implement available\n                                                      compensating controls (such as establishing a test\n                                                      team to verify developer changes in production) until a\n                                                      comprehensive solution to adequately segregate test,\n                                                      development and production databases can be\n\n\n\n                                                     12\n\x0c                 Finding Summary                                       Recommendation\n                                                      implemented. (OIG Control # FS-09-16) (PBGC\n                                                      scheduled completion date: October 31, 2013)\n\n6.   PBGC\xe2\x80\x99s policies and practices have not           Continue to remove unnecessary user and generic\n     effectively restricted the addition of           accounts. (OIG Control # FS-07-08) (PBGC\n     unnecessary and generic accounts to              scheduled completion date: July 31, 2012)\n     systems in production. Consequently, the\n     number of unnecessary and generic                Assess the risk associated with the lack of segregation\n     accounts grew over the years. Furthermore,       of duties, password management, and overall\n     PBGC\xe2\x80\x99s         configuration    management       inadequate system configuration. Discuss risk with\n     weaknesses have contributed significantly        system owners and implement compensating controls\n     to its inability to effectively implement        wherever possible. If compensating controls cannot be\n     controls to ensure the consistent removal        implemented the system owner should sign-off\n     and locking out of generic or dormant            indicating risk acceptance. (OIG Control # FS-09-17)\n     accounts. PBGC has made progress in the          (PBGC scheduled completion date: February 15,\n     recertification   and      dormant    Account    2013)\n     Process. However, not all major systems\n     have gone through the recertification            For the remaining systems, apply controls to\n     process such as those in the Benefits            remove/disable inactive and dormant accounts after a\n     Administration and Payment Department.           specified period in accordance with the IAH. (OIG\n     Furthermore, the actual removal of dormant       Control # FS-07-12) (PBGC scheduled completion\n     accounts from systems is still a manual          date: July 31, 2012)\n     process and remains a risk to the timeliness\n     of effective removal. The lack of controls to\n     remove/disable inactive accounts and\n     dormant       accounts     exposes    PBGC\xe2\x80\x99s\n     systems to exploitation and compromise.\n     PBGC has taken action to review generic\n     accounts in the general support system,\n     removing those that are unnecessary, and\n     approving those that are necessary;\n     however, more work is needed to ensure\n     that all unnecessary and generic accounts\n     are removed. Failure to identify and remove\n     unnecessary accounts from the system\n     could result in PBGC\xe2\x80\x99s systems being at an\n     increased risk for unauthorized access,\n     modification, or deletion of sensitive system\n     and/or participant information.\n\n7.   Some developers have access to the               Appropriately restrict developers\xe2\x80\x99 access to production\n     production environment, which exposes            environment to only temporary emergency access.\n     PBGC to the risk of unauthorized                 (OIG Control # FS-07-10) (PBGC scheduled\n     modification of the application, the             completion date: December 31, 2012)\n     circumvention of critical controls, and\n     unnecessary access to sensitive data.\n     Weaknesses in the design of PBGC\xe2\x80\x99s\n     infrastructure and deployment strategy for\n     legacy systems and applications created an\n\n\n\n                                                     13\n\x0c                   Finding Summary                                         Recommendation\n     environment where developers have\n     unrestricted access to production. PBGC\n     has identified the developers who have\n     access to particular production assets, and\n     removed unnecessary developer access to\n     production. Service Desk tickets were\n     submitted      to    re-establish necessary\n     developer access along with associated\n     necessary Risk Acceptance forms. The\n     Corporation now has mechanisms in place\n     within the automated Enterprise Local Area\n     Network (eLAN) process and records to\n     document development team members\xe2\x80\x99\n     access.      There     is   now   a    better\n     understanding of risks associated with\n     developers\xe2\x80\x99 access to production to ensure\n     access is evaluated before granting. All\n     developers\xe2\x80\x99 access to production has not\n     been eliminated; PBGC is in the process of\n     implementing compensating controls to\n     restrict developer\xe2\x80\x99s access to production.\n     However, PBGC has not fully resolved\n     infrastructure design issues. In the interim,\n     PBGC implemented ACLs that will act as\n     static firewalls until the comprehensive\n     solution is fully implemented.\n\n8.   Controls are not consistently applied to           Consistently apply     controls to ensure that\n     ensure that authentication parameters for          authentication parameters for PBGC\xe2\x80\x99s general support\n     general support systems (e.g. Novell,              systems (e.g. Novell, Windows, Sun Solaris, Oracle,\n     Windows, SUN Solaris, Oracle, etc.) and            etc.) and applications comply with the IAH. (OIG\n     applications comply with the Information           Control # FS-07-11) (PBGC scheduled completion\n     Assurance Handbook (IAH). PBGC\xe2\x80\x99s                   date: July 31, 2014)\n     decentralized     approach    to    system\n     development         and       configuration        Implement a manual review process whereby OIT\n     management has made it particularly                periodically reviews systems for compliance with\n     difficult to implement consistent technical        baseline settings. (OIG Control # FS-09-19) (PBGC\n     controls across PBGC\xe2\x80\x99s many systems,               scheduled completion date: October 31, 2013)\n     platforms, and applications.\n\n9.   The OIT recertification process remains            Complete the implementation of the recertification\n     incomplete and does not include all user           process for all user and system accounts. Continue to\n     and system accounts. In addition, the              perform annual recertification and include all PBGC\xe2\x80\x99s\n     Recertification of User Access Process,            accounts (e.g. user, generic, service, and systems\n     version 4.0, does not explicitly state that all    accounts) for general support systems and major\n     accounts (e.g. user, system, and service)          applications. (OIG Control # FS-07-13) (PBGC\n     across all platforms and applications will be      scheduled completion date: July 31, 2013)\n     recertified annually. PBGC\xe2\x80\x99s infrastructure\n     design and configuration management\n\n\n\n                                                       14\n\x0c                 Finding Summary                                           Recommendation\n     weaknesses have contributed significantly\n     to its inability to effectively implement\n     controls to recertify all user and system\n     accounts. The recertification process is still\n     undergoing changes to ensure all major\n     information systems are reviewed. PBGC\n     implemented an automated eLAN workflow\n     process at the end of FY 2011, which\n     provided another way for PBGC\xe2\x80\x99s\n     customers to interact with the Service Desk\n     and submit network and application\n     services (eLAN) access requests. Effective\n     May 1, 2012, PBGC required that users\n     discontinue submitting paper eLAN forms\n     and instead use the automated system,\n     except in situations where the automated\n     system does not accommodate a user\xe2\x80\x99s\n     unique and specific access request due to\n     services and functions that aren\xe2\x80\x99t available\n     in PBGC\xe2\x80\x99s current Service Catalog. In those\n     cases, the Service Desk is prepared to\n     assist the user with the completion of the\n     paper eLAN until the automated system can\n     be modified. Current plans are to\n     incorporate        additional      workflow\n     modifications, to eliminate the need for any\n     paper forms, into a planned Service\n     Manager, version 7 to version 9 migration\n     which is scheduled for FY 2013.\n\n10. Vulnerabilities found in key databases and          Implement controls to remedy vulnerabilities noted in\n    applications     include     weaknesses       in    key databases and applications such as weaknesses\n    configuration, roles, privileges, auditing, file    in configuration, roles, privileges, auditing, file\n    permissions, and operating system access.           permissions, and operating system access. (OIG\n    These PBGC system vulnerabilities are               Control # FS-07-14) (PBGC scheduled completion\n    caused by an ineffective deployment                 date: October 31, 2013)\n    strategy in the development, test, and\n    production      environments.       Ineffective     Implement controls to remedy weaknesses in the\n    system deployments have resulted in an              deployment of servers, applications, and databases in\n    environment that is in disarray. PBGC has           the development, test, and production environments.\n    deployed additional technical tools to              (OIG Control # FS-09-20) (PBGC scheduled\n    address this weakness, but requires                 completion date: October 1, 2014)\n    additional cycle time to determine\n    effectiveness. Security control weaknesses\n    and vulnerabilities in key databases remain\n    unresolved. These control weaknesses are\n    scheduled to be corrected in 2013. These\n    weaknesses expose PBGC to increased\n    risk of data modification or deletion.\n\n\n\n                                                       15\n\x0c                Finding Summary                                           Recommendation\n     Unauthorized changes could occur and not\n     be detected.\n\n11. Periodic logging and monitoring of security-       Implement a logging and monitoring process for\n    related events for PBGC\xe2\x80\x99s applications             application security-related events and critical system\n    were inadequate for CFS, Premium                   modifications (e.g. CFS, PAS, TAS, PRISM, and\n    Accounting       System      (PAS),      Trust     IPVFB). (OIG Control # FS-07-17) (PBGC scheduled\n    Accounting System (TAS), Participant               completion date: April 30, 2013)\n    Records Information Systems Management\n    (PRISM), and Integrated Present Value of\n    Future Benefits (IPVFB) systems. PBGC\xe2\x80\x99s\n    IT infrastructure consists of multiple legacy\n    systems and applications (e.g. PAS, TAS,\n    IPVFB, PRISM, etc.) that do not have a\n    coherent architecture for management and\n    security.\n\n12. The application virtualization/application         Include the application virtualization/application\n    delivery product used by PBGC\xe2\x80\x99s benefit            delivery product used by the benefit payments service\n    payments service provider to connect to its        provider to access the PLUS application in the system\n    benefit payments system, PLUS, is not              boundary. (OIG Control # FS-10-05) (PBGC\n    included in the system boundary when               scheduled completion date: TBD)\n    conducting the A&A for the PLUS\n    application. There is no documented\n    security plan, risk assessment, security\n    controls testing and continuous monitoring\n    program         for       the       application\n    virtualization/application delivery product.\n\n13. Privileged TeamConnect group accounts              Establish unique accounts for each user in\n    use shared accounts to grant access to             TeamConnect. (OIG Control # FS-11-02) (PBGC\n    users. The activity by these privileged users      scheduled completion date: TBD)\n    cannot be tracked and/or traced to an\n    individual user. Additionally, TeamConnect         Restrict developer\xe2\x80\x99s access to production. (OIG\n    developers have access to both the                 Control # FS-11-03) (PBGC scheduled completion\n    development and production system.                 date: September 30, 2012)\n    Malicious changes could be made without\n    detection.                                         Implement a log review process that does not rely on\n                                                       the TeamConnect\xe2\x80\x99s developers reviewing the logs.\n                                                       (OIG Control # FS-11-04) (PBGC scheduled\n                                                       completion date: TBD)\n\n                                                       Implement compensating controls for log and review of\n                                                       changes made by powerful shared accounts. (OIG\n                                                       Control # FS-11-05) (PBGC scheduled completion\n                                                       date: TBD)\n\n\n\n\n                                                      16\n\x0cVIII. FISMA RECOMMENDATIONS CLOSED IN FISCAL YEAR 2011\n\n        OIG Control Number   Date Closed              Original Report Number\n        FISMA-11-06          October 22, 2012         EVAL-2012-9/FA-11-82-7\n\n\nIX.   PRIOR AND CURRENT YEARS\xe2\x80\x99 OPEN FISMA RECOMMENDATIONS\n\n        OIG Control Number                 Original Report Number\n\n        Prior Year\n        FISMA-09-08                        AUD-2010-6/FA-09-64-6\n        FISMA-09-09                        AUD-2010-6/FA-09-64-6\n        FISMA-09-10                        AUD-2010-6/FA-09-64-6\n        FISMA-09-11                        AUD-2010-6/FA-09-64-6\n        FISMA-11-01                        EVAL-2012-9/FA-11-82-7\n        FISMA-11-02                        EVAL-2012-9/FA-11-82-7\n        FISMA-11-03                        EVAL-2012-9/FA-11-82-7\n        FISMA-11-04                        EVAL-2012-9/FA-11-82-7\n        FISMA-11-05                        EVAL-2012-9/FA-11-82-7\n\n\n        Current Year\n        FISMA-12-01\n        FISMA-12-02\n\n\n\n\n                                    17\n\x0cX.   MANAGEMENT RESPONSE\n\n\n\n\n                           18\n\x0c19\n\x0cIf you want to report or discuss confidentially any instance of misconduct,\n   fraud, waste, abuse, or mismanagement, please contact the Office of\n                             Inspector General.\n\n\n\n                              Telephone:\n                   The Inspector General\xe2\x80\x99s HOTLINE\n                           1-800-303-9737\n\n          The deaf or hard of hearing, dial FRS (800) 877-8339\n           and give the Hotline number to the relay operator.\n\n\n\n                                   Web:\n               http://oig.pbgc.gov/investigation/details.html\n\n\n\n                                Or Write:\n                 Pension Benefit Guaranty Corporation\n                      Office of Inspector General\n                            PO Box 34177\n                    Washington, DC 20043-4177\n\x0c"